Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I differentiate iPhone VPN users from PC with same username?

We would like to be able to differentiate between VPN connections from iPhones and VPN connections from software clients on PCs.

We currently have 1 common Groupname for VPN connections to our ASA pair, so I assumed I could create a new Groupname for iPhones. This is easy enough however when the users are authenticating via ACS (RSA + AD database mapping) I have no way of differentiating them from their regular PC connections.

I have researched some RADIUS attributes usable in Network Access Profiels however I do not see any option to use Groupname as a filter.

Is this possible? If not, is there another way to differentiate this traffic and ideally assign the iPhone connections different ACL's (or IP addresses which can then be used to apply different ACL's on the ASA)?

Our setup is:

ASA 5520 fail-over pair running 8.0.4, ACL's for each VPN group, RADIUS authentication to ACS, IPSEC VPN

ACS 4.2 for Windows with RSA and AD Database mappings

AD on server 2008 R2, users placed in AD groups to map to ACS groups for IP address assignment


Everyone's tags (6)

Re: How can I differentiate iPhone VPN users from PC with same u

Having an attribute sent from the specific connection is a bit hard, however you can use the featuer of client types on the ASA to restrict what type of users can connect to what groups, the feature is called "client access rule" where you permit sofware clients type windows XP or whatever the client is to a specific group, and deny iphone clients, and you can only allow iphone clients to connect only to specific groups see the following link of the command reference



CreatePlease login to create content